Security learning lessons from the IRS breach

Another major breach hits the headlines, one that affects 100,000 people.  This time it’s not a bank or a healthcare organization, it’s the IRS.  Even though the organization is of a different nature, the data taken was the same in its value, as were the reasons for the successful breach.

Some details on the IRS breach:

• The data breach culprits were able to access personal tax-payers’ information through the “Get Transcript” application, and were able to clear the multi-authentication process in place, as well as additional security checks that were supposed to keep the data secure.

• At a hearing of the Senate Finance Committee, J. Russell George (the Treasury’s inspector general for tax administration) told the panel that the IRS had not yet implemented 44 of his security recommendations and that the agency didn’t always apply the necessary computer security upgrades to protect data, nor did they monitor many of their servers.  Although these measures might not have prevented the breach, George continued to say that it would have at least made it more challenging for the intruders.

• Also highlighted was the fact that cyber security spending had decreased by 20% since 2011 and that the IRS had lost key IT personnel with the higher-than-normal expertise to manage security.

The security takeaways from the IRS breach:

• It’s been said time and time again, year after year (in numerous studies), how the majority of security vulnerabilities come from applications, yet businesses keep focusing a big portion of their spending on network security.

• Also reiterated by security experts, the fact that organizations must implement all updates to their security technology and devices to decrease vulnerabilities.

• Continuous monitoring has never been any less important, no matter what technology or security process an organization has in place.

• The undisputed need of expert IT security professionals as part of the team to know the ins and outs of a complete risk management plan and process (yet another voiced concern by those who know the dangers of being vulnerable).

• Finally, the importance of security spending and allocating a budget that allows for risk management to become an integral piece of the business process.

As with other breaches, such as CareFirst’s breach, intruders initiated attempts to access sensitive data and eventually succeeded in their intent.  They most likely used a form of Phishing or social engineering technique to gain the information they needed or they used data from previous breached data, or they simply gathered public sources of information. Whichever way they got the information is not as important as the fact that they got in, and took the data they were after.

Even though the breach could have still taken place, the fact that the IRS had so many holes in their security posture makes it hard not to think that at least had the right security measures been in place, less sensitive data would have been taken or the intruders would have been spotted during their first attempts.  No matter what type of entity or business you are, as long as you hold sensitive data, you are a target.  If you care about your organization, your employees and your customers; you should not tune out breach news or take security lightly.

Acknowledging the need for a holistic information security plan with the necessary people, process, and technology components is the first step for CEOs.  Next is the need for executives and the board to realize that the risk management process is a long-term investment, which requires continuity and that will (without a doubt) bring a return on investment (happy customers, brand trust, secure data).

 
Have you taken the necessary steps to implement information security the right way?

Photo courtesy of alexskopje